ryuk | c714164da80d70bceb3d32b6290ac875550317f048aba37541bacc081bc309b2

Analysis

max time kernel
270s
max time network
221s
platform
windows7_x64
resource
win7v20210410
submitted
27-04-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windy-desire.exe
Size

170KB
MD5

ff5a1939a1edce4cfd068978a2a21212
SHA1

2f5a4cd0e6840f3cc63b1ca3af213b80735af03f
SHA256

c714164da80d70bceb3d32b6290ac875550317f048aba37541bacc081bc309b2
SHA512

4f84c454dcdbe6009fbe09669b5cb43e364f1750f98eac1aebbd606ea0dbec27dccdef8bbc7a5a9eeefc7eb7cc4f322cfcb32abe33f66358c4dfaa41214aec0e

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windy-desire.exe"	reg.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Thatch.thmx	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate.css	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200163.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\net.properties	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVCMP.DIC	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Adobe.css	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Marketing Projects.accdt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107500.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING1.WMF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\THMBNAIL.PNG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msolui100.rll	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00390_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183290.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\Office64MUISet.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages.properties	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_01.MID	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107288.WMF	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages.properties	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107458.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00610_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar	Dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

pid	process
70056	vssadmin.exe
70096	vssadmin.exe
70228	vssadmin.exe
70356	vssadmin.exe
70172	vssadmin.exe
70244	vssadmin.exe
70276	vssadmin.exe
70164	vssadmin.exe
70196	vssadmin.exe
69936	vssadmin.exe
70036	vssadmin.exe
70216	vssadmin.exe
70340	vssadmin.exe
69992	vssadmin.exe
1716	vssadmin.exe
69844	vssadmin.exe
70004	vssadmin.exe
70024	vssadmin.exe
69696	vssadmin.exe
70308	vssadmin.exe
70260	vssadmin.exe
70324	vssadmin.exe
70388	vssadmin.exe
220	vssadmin.exe
69832	vssadmin.exe
70132	vssadmin.exe
70292	vssadmin.exe
70068	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

windy-desire.exe

pid process

1080 windy-desire.exe

pid	process
1080	windy-desire.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

windy-desire.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1080	windy-desire.exe
Token: SeBackupPrivilege	69860	vssvc.exe
Token: SeRestorePrivilege	69860	vssvc.exe
Token: SeAuditPrivilege	69860	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1116 taskhost.exe
1172 Dwm.exe

pid	process
1116	taskhost.exe
1172	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

windy-desire.execmd.exetaskhost.execmd.exeDwm.execmd.exe

description	pid	process	target process
PID 1080 wrote to memory of 1512	1080	windy-desire.exe	cmd.exe
PID 1080 wrote to memory of 1512	1080	windy-desire.exe	cmd.exe
PID 1080 wrote to memory of 1512	1080	windy-desire.exe	cmd.exe
PID 1080 wrote to memory of 1116	1080	windy-desire.exe	taskhost.exe
PID 1512 wrote to memory of 1668	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1668	1512	cmd.exe	reg.exe
PID 1512 wrote to memory of 1668	1512	cmd.exe	reg.exe
PID 1080 wrote to memory of 1172	1080	windy-desire.exe	Dwm.exe
PID 1116 wrote to memory of 69796	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 69796	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 69796	1116	taskhost.exe	cmd.exe
PID 69796 wrote to memory of 69832	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 69832	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 69832	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 69992	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 69992	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 69992	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70024	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70024	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70024	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70056	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70056	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70056	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70096	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70096	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70096	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70132	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70132	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70132	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70164	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70164	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70164	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70196	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70196	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70196	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70228	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70228	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70228	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70260	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70260	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70260	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70292	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70292	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70292	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70324	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70324	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70324	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70356	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70356	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70356	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70388	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70388	69796	cmd.exe	vssadmin.exe
PID 69796 wrote to memory of 70388	69796	cmd.exe	vssadmin.exe
PID 1172 wrote to memory of 69668	1172	Dwm.exe	cmd.exe
PID 1172 wrote to memory of 69668	1172	Dwm.exe	cmd.exe
PID 1172 wrote to memory of 69668	1172	Dwm.exe	cmd.exe
PID 69668 wrote to memory of 69936	69668	cmd.exe	vssadmin.exe
PID 69668 wrote to memory of 69936	69668	cmd.exe	vssadmin.exe
PID 69668 wrote to memory of 69936	69668	cmd.exe	vssadmin.exe
PID 69668 wrote to memory of 1716	69668	cmd.exe	vssadmin.exe
PID 69668 wrote to memory of 1716	69668	cmd.exe	vssadmin.exe
PID 69668 wrote to memory of 1716	69668	cmd.exe	vssadmin.exe
PID 69668 wrote to memory of 69696	69668	cmd.exe	vssadmin.exe
PID 69668 wrote to memory of 69696	69668	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69668

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69936

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1716

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:69696

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:220

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69844

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70004

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70036

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70068

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70172

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70216

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70244

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70276

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70308

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:70340

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69796

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69832

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:69992

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:70024

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70056

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70096

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70132

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70164

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70196

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70228

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70260

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70292

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70324

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70356

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:70388

C:\Users\Admin\AppData\Local\Temp\windy-desire.exe
"C:\Users\Admin\AppData\Local\Temp\windy-desire.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\windy-desire.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\windy-desire.exe" /f
3⤵
- Adds Run key to start application
PID:1668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:69860

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:69700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
b82b4433f20c3bb6ed6112487ee17e9d

SHA1
a7f7d1895d5bd660af38c7a1809eedc5d75d7423

SHA256
099e86409cd3811e15c31c894208ffe9201f1492eb7e66d94cc6d19a4f47d4c8

SHA512
08f9635b9266661d9d8da63d6dd624f85b740f1c667b311198bba2e281f0a6bcc75197a50c73c4340ee5c178fd5ffe2377733759431ce83c1db3c639a29bc053

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
f64dbf8ed2558a885fd94c53c63a874e

SHA1
386aa52433abf052d8f0e67434236481341fc476

SHA256
2c5f794b7df99690d4ccbee2173ff2b611b85b29c3ffdd06b05784bd1c970c46

SHA512
dbd7d8d506ba43104d561eca5c83d83e1a5c1a997f3904f5a059dac8eb32850571de2906602f4e24de88eea02790196bcf9511a9c2b42d54e8ca7360c2d3f8b4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5
5c5b4a703fb048d2a930048ffe771c2b

SHA1
5a031c0a390f66a210c5dc260b56048af732610d

SHA256
f6ab383009583c57fd9deb485d49ed9929e8a9926d0d6603030b960240b1dece

SHA512
fec6fef2fc61f5242938b20add6ab300f56a8e394def6f391e6ce98ba48a413c6e6ece958d3aabfbd3f6d56978d4581e1a6f59f0e977df0ea3f69f2e2710ab80

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
621ded26df95cbee3f4eb0b580f931c8

SHA1
8c18d190ead2361be4af3a85689175cab99f0506

SHA256
e8607e1579e7b04a0498c2bbc4ec0673ce3239bfa39ddeee2d08fdb1f07f3573

SHA512
1055bcee881b83508ae857e48ee29d7eb61f8a5a26a87756ad58b43562e26dc2c4b94fc26e9be33fc3b40bc91009d59daf02fb75bff42c45ed2113272fef5e3e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5
c49fdfea996bcc7996ceec4195ecb1c6

SHA1
6ee235428bece565b7004e5683689702869f4ed6

SHA256
0aa32c8932f51ba5c715a4aef225db9707721b2f37ca1adebd65a69d4cc04b06

SHA512
9046e286c5690d844b08ec6a6be1c541f5bed6573e6bc9c1bd13784d7e02251589302cc099ad4c234bd73418271d986a9ac2bc51e42a4a2bda060660d3fe10e0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
6e7613746de8a2a6848ced6560c1671e

SHA1
c0d58fb3b52b4e40b5ae716cf6490d5810953f93

SHA256
2eb9cb980afb2cad1f1da09b61990c075a53cb080e808cde7542572789f98b32

SHA512
b8758e19beb4fcdc347cc7526b8eba9e4d8fb874b03e3bd96073bcec706f23837cf4d863cdbf55bb9ce3189523bf1b04f68476615aa9c98dabddc80f15efa38e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
02e6d59015d81913b0b41f0d3d4a3bda

SHA1
3118281a15cb9f70390cdaf096fba27dd4b53ec6

SHA256
631a9cdf3ab094818638136bbb9bcc5bdf66423f3aff8fa320f4adb5b980db1b

SHA512
c86a7ae342064dbc93368a3a2aefce64994fe714de8be5d04872309f1bb928c263c47c63aee30e285b339258df1da4d624d3e3d48d72de07961271033f551f45

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5
5b3b783dc9123107d27ca1b4cbffa22f

SHA1
b459da7c6ed89ff79b7dd2893c026b242d745e3a

SHA256
c0b5b950c2aff616342239f06390b45e472798ab30bf7003dc77e26852e7d0e2

SHA512
0c0909b87ec5efd555d6e0bc06190f5d18c67a8bcdcebf79fed336127e58289e7e0bd63c80b9e5656935663cb70293081d2d020b0adf8529607d994a642ca223

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

MD5
f88789bb8e39d75e8b56f8e79ee6f5f3

SHA1
dedd15b511c2ee7d1ef3c6e595b0dd96c07c8bf7

SHA256
b728ec77afacd759e23041fff83b44fa789fa4167d87cecf8a03a5ba41d7b22d

SHA512
bc1eda0582e9f508bf695174dd9f89690ff549466699c4f989c2abe1760d4a7394f8dfe08b3dde40682136434272ef57cce9fc900eac30897802654154c41cdf

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
6372832793d54763718db6f9ca1a8a11

SHA1
630e050d0b8f0860db54febdaad5ff791fed7459

SHA256
33036b799574aeb2c43a1c9c23cd3d3e7cc9c49afc0a683de433a25f012794e9

SHA512
4afafdcb6ad9103aab64d3e9bf0b174261bb134ea271bbaea6fb9fcfc2de85d486faea8582e4a444a52232e44306435098bbf6bf5f1dfe9d4c311560080fbc8a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5
aac3e483704504d972bb62c88b20a1b6

SHA1
2a7890ecb99bd35f1f7cab96820d134cbb75fb63

SHA256
fab85162d055e6427d7d16ecd448f3f44272890b8631e361321554df14998c09

SHA512
53339e424353aba3c530ed1fbda780e9374dcfca748ac1a9d71882f9964f100619663d3b19fe3c01b775c3c6b9ed484672ccf7ea6352fb9e8407a156ea334a13

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

MD5
cfb9ae92d4ecebfcbcd84f60cfb20a4a

SHA1
6ab00757981193404994f818b40b2a05c82824fa

SHA256
84b43f152289f3136bf6552c35505b3b20507e4f4090dabf7d0c9f195c5d0e25

SHA512
43361a006a7ae8db82e961aa587e12d3a33a27cfd6e1763a56035730c8a0361c00f7c50168791048cb443e348f4d1ad4178626e587ced848f84de7f3681f3b48

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
3f7eaead92cf70b650284c1b4c4b661c

SHA1
313501156987324da62564df1d4f5460afaeb1dc

SHA256
4cb91a3518fa54767c87c9fcac979081bcfe650fda012be0761e92a111fcdff1

SHA512
a2528c13d1681ddc739160124614fd32a8ba495272f0f00da6c8fe2258849b282c90044833ec94ec7791ff0645e9fe728178aa37aafccb83d3dbf358dec3c1f7

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

MD5
4533fa6542323ff0e50261e3ba993edf

SHA1
9595db212307a8757c194e7f120246d7a468569c

SHA256
c09acfc9bc67fb11b9418af56aa0140083c6c6695180db9cb15219f3ba53ae7c

SHA512
ba5186cb118980dc77dbc86a5efbe5226edfba7e0030fd22a8e5385d569b18ea83a32332684e010b7465060e1bf6a400beeba0a06350cf4c372499c6b26a79f0

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

MD5
1817dbad7864268e41b0f8cfb26a291f

SHA1
8d8809c951714adff065c87ca25492be90341969

SHA256
8b32ba3d475a7ee213c7a9dbb976e5e3a2412637dc992188e095fb2b180d9649

SHA512
b5f9ff8a5c3c92d7b757b728b16c01a4a7df33839d1ea9437c2522a860ec3035c2a510f381897f6afe882326717eea89dc1a1f1e534715028bc8cfb586cd31c1

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
4c1e784f20e6d75538de6bae5d3ab016

SHA1
dd3a200bc0e9d400d6982739a7b58adab6e1b594

SHA256
2d113786fbf3b4b15f740bbe97881bb225bacfdfcff03b1fcc87f9147536b9cc

SHA512
b6c7cab2c3dff6040230fadadf2524405b40ff7a8b157a177399f1748679f482aa095a27fe0374cf911657b39444084f8c574117dad7e267fdc7b9ed67eea4a3

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
1c85779549eda1e4ae130075eae1160e

SHA1
ea6288b0e2e257500ec9712c7ee4937536b33bc9

SHA256
a5296c8d88331332cadfb8d9c76c02856c2a3aa98460f4511e016da1737ee533

SHA512
455b251d4a2238327d38ebfe8bf390a74fb34c37f760b197bd4864a6f3ff1741a9558e73f93c3a7b1625a3c6194e9f4b4d85e2c1343316ab03765b78af51990f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

MD5
376197032df455e0c4bc16edbf6015b9

SHA1
a6a4d5c8622d6fe3b5dac583b14bf9b498c22213

SHA256
a4415834a81e69cb91f98e615249352066a3ee0358c64a588cbb7db8ae73e0bf

SHA512
e914f5297ec91ed437b5f237de1aa26454a838cb51be0f736452fc5c00a83ec21469afd89273122e79cad41c69f3f8c54143c2fab6d024d9caa015ad352c1670

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

MD5
dc3b6a09e1507e21f7d7c92c36b5c249

SHA1
bfa717b88fa64edb9bf89c6b01d5fbd17f2916b5

SHA256
c78c5a3afb34c1e9962b77c0aa2c5deeef3555861c24257cadc68de181a52b94

SHA512
5cb6be2c758353eadbb1609d69efefa9a9046cec2f8f9d5b557dda8df36da2ee47c915ffea75b29a14a73cb3028924d357ab0589396c32d742f64176e49fb14b

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

MD5
08d650d11c8f81df2e62c18a364d6723

SHA1
1b0343e973c86623f93e8f086b9b6ddd550ad477

SHA256
03c0433431bd26b6ddb1f641f14d5f2195436b50f09fbec13482fafd92dca5fd

SHA512
9885306f808db60effdbba1850aaaaa3a9397d2d9f29f96751f177dbad276e3343bc3b6ea33d83482d321c21497ebd0971f9ec1f0f252c0b50de20a7d566061b

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
6347eb603895616580d4e135324f7ce9

SHA1
13de420c37a73dbf34f7697a7e79c6aa6dc846ca

SHA256
66d0c2a211b5e7e77109c01339fc50c772b3e0156133263954bf46b54e8a2e91

SHA512
d5b49013cb3521e027350085ad65f4b18e152d43b2220486053c3e78d9b1da71beea5111a44da1d37080432d92eb710b582b36dee921d02c8f1b13b51ad2ec98

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
d2d73218c60617bf3af9e64d99976367

SHA1
fb94dc2681f579bb9446273e476241a2bcaca83a

SHA256
6652ccea1ab9896941783b6187a34d6e6fc1bf2d9dced06912f96ed3b4928a9e

SHA512
176055a3ea7f63737583410bf9b53f224c66076819aac80a3a85a4aa7730ecd957a1017269c762766f7b4297c35a9f3a58991d48af3867e2f2197c62fbcca6aa

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

MD5
e8fc3c33d4c583fe418ab7d67b836ad8

SHA1
a393e0350430c065017a8b83063ee6a46d098a16

SHA256
68d9803ce2cdfbd36ba8ce9d48ef75068a7c422fdb0ee328cb94c803efff27a6

SHA512
c742d1a6b28bb7fd68e8ae9d93c07081e42fec1acbacea136435d52391a753cf90d0ca375fc4341a80e7d5de27a52fc1f85479ec07e0cac9e726c6bfbc8c532c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
3ea80ceefe387cc248ee6339a68dc2bd

SHA1
46f80092feb4544bc72126e7d4447bc83f5d92c8

SHA256
f0137a9ae2abf6fc498d381b5220f3efdf892393d84bcc2748d838a16029bcd2

SHA512
4abd26f1dc33659c21704c864ee05c0667ad9bcc2cf5220a4f112115a76f80c5f350a572a96041bb6fd95937a8d34f74aad3f6cf4692915d05961df221399319

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
516e4fa2f31eb8c06810c864ee409571

SHA1
3b476b806b180f5a71554202c06adce533c11ab0

SHA256
41c652282847d9200f93d561991466f0900636045ab154177be77d02ba407820

SHA512
975acf523c8d2ab75223471c35be925a256f2eb908edd29e03cab9166f1b5a67a7d2c0a15b8f88d02703f298a042b3f0691fe14ad812cc268f6c4439cfe5ce09

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

MD5
d52a50815a2a06ac8a8fdfd31c325b93

SHA1
0bd3c0db001778d71754b6a91143f8ab0bb540a2

SHA256
1b178df4c1e9fb3e5733485e4dd9c7ea08fa66be00f79dc1c8e8341714bf8fa5

SHA512
ea3d5f7504665f7ac5e8607405f07c9b1aaad29022c51d0fa4180a78d1613f4598f48427b81f0010e7da4e799c93b61659bbf7356a3907b448d8cab0451ca4c1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

MD5
e7e74d5c0564ef22ca64a76ff97849af

SHA1
12ee4db443b38f22973808016cf7be6ee398175b

SHA256
082cb75071c791553577847537e78517e2c461291fd4f3cc816dfdc98736e548

SHA512
2b146d26c899a5ecc5af5d0e5353db3e0828bf7ee171d36f6b83fb1060ce10d6f7c616bab1c6084672dc5adbf2e63818e52048cf963dd73570d185f47b1a122e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

MD5
2bdd886fad9edbef3d8f880cd9980080

SHA1
52b757bfe465317767b1ba6841acae35ca901cb5

SHA256
879347d62101301d7c7ce4414c061a550cf4e7dc4140e223d527de8bd7b3fde7

SHA512
b4e21c45bdda2aea77557c1a2292c0ff94daafa75fe30c8341019be18bf3db5648c00c52daf765e73b538867d844d7536beee79a0affe41479b7c7b35afc52dc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

MD5
c4652e096eff479873c3554fb5698d95

SHA1
6d625c6a390150b624a37d16d25f165ed530c579

SHA256
5eaf7f39470d14a86b57aa61bf92a4338c8f1d1bc7517e9d329bf5429c515f01

SHA512
eed6953ad767c33c911ea7e9a23f52808e8a34625dd349a0d0518df21bece16a38d821e40848c1ee48fd4e62a87fc4bcb1c6dce5dad92ba8bbc3682461267d8c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

MD5
15d716f1cc7b12b04d86c411616def87

SHA1
a34a98a1204282f20b7ada4d03c170d43f6159f0

SHA256
74064f7a63896fc3aba92e5c171a271f6fa02704006f0426fd31bda433486081

SHA512
e7f941d84e93612b88356b0923f46c6b6b8257a43ecd3fed54582927e2be3d99a0c50f58832d90da5d237a94fc402d5637454fc1b47136ac6ceb3eea3879b1ca

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

MD5
aa355eb16cee7e6477041176c91d4356

SHA1
855391926a0aabd0c45898f5790b4af956b5a0bc

SHA256
ddf6e2649bea36653b5334e8457be800040f6d77cd4562fb0ada62ddd191ce7d

SHA512
74b4cfc12b3157918d75de75e7b6fd83fb93e6ae007ff69f03befca8b99ae6b63591882f6eff8548cafcf07497fb2a38fba3ef81a81f84eeeb68d63928407db1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
6021e32558dff146ffe7bf8ae325f3b1

SHA1
7fbbf7832f79391b577804ec6766a7b3e3ba7c83

SHA256
33d3ec35dc2ba86e4426e795419b453b700390249d6bdeeb6dc36df6971e8feb

SHA512
588e55982afc0a8a22b1bbce1c9cf133399d8c3272e656f7d4413296bd9f4ee26b4fbd5ce60f264ca25f383cdc66d9448104fd0f38248a490ec807b3b90cf204

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

MD5
97265bab2e2560d1b9d4d25b40a4e837

SHA1
f37201a4dea668a71e35f83c6c1d513760133851

SHA256
42dcd9cf2c148ae4edd6259657c09013d38d597baf5a62806f06fa0f69ae5fd4

SHA512
97eda1a694629250edc524642e57b39d7c6d08aadb23977f1af37f6887d3f0a673655614c9b3e07a0f1f406fca58c30b16699c8d42f30f01c7cd3cf1b71238bc

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\PerfLogs\Admin\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\PerfLogs\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\7-Zip\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_17ebba21-ade9-4848-b865-5b9359ee593d

MD5
00f5fdebc80e18103e7e0e63e1560ed7

SHA1
df3c4ed1e69900fd308fe9b7170b41c0c1fefffd

SHA256
aa91c911158c9889e39e368917a409223ced34a96abd31550f237ac92d69df5d

SHA512
70023e2f0842014d438053904eb05dd8c08f03f9ad60abee1345b8ae0680085e4a1e816b239fde1abeb7033237141018451afa63a6c40f6ea39c697c2df49850

Download Submit
C:\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\users\Public\window.bat

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\??\c:\Program Files\BackupExpand.mpeg

MD5
8e1bfc3b7188ab7b3a87dcdb4db81cb2

SHA1
8fc2641ac981bbd654658ceebe27b6dddaeb19ad

SHA256
c8da2abe1a8de64c99c18778499532887d246891294079f052aef0247a4a315d

SHA512
c2b622a581514623187d9fb4ab23a5c5fbc6eb6b95b2d37b9905ef60be66c80977cfbd4f66ac62487d6f685c7679878162df931468b603ed13020b371f294c4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

MD5
6396f3f2f45004fa87ae4491d58aacd4

SHA1
8688c3fe990d8c0c6cec1c6efd552c06ba179608

SHA256
cc693fbecd6766734172df6fe29710606233b5ae7f8bdc6a48e999953ab784d2

SHA512
2ee4f0567ebe7fb9b2fbb30f012eaa3eb25edfcead5cd9ac7458b39017309b94d52b0dbd375df56e68f938e45498fcef7993408156954b90ccad89ece4d5c95a

Download Submit
\??\c:\Users\Admin\Pictures\BackupProtect.raw

MD5
3b45ce85b4913f36d7d275a6fe266916

SHA1
7f4eec6588e9d325bde8da8d9d02621cd7f3e502

SHA256
cdef2b0be4ecad741d003e9ada5af9918840f276a70526c7d9925c9a6a67ba80

SHA512
349c46881601f800d8eff7c22e9a6dc754dbef670d8c9cfbb230fb0729eae3e38a1c724cef90a00c23f974acde710533ce20847702a9edde6aaf329e1ee296df

Download Submit
memory/220-148-0x0000000000000000-mapping.dmp

Download
memory/1080-60-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp

Filesize
8KB

Download
memory/1116-63-0x000000013F1F0000-0x000000013F57E000-memory.dmp

Filesize
3.6MB

Download
memory/1512-61-0x0000000000000000-mapping.dmp

Download
memory/1668-62-0x0000000000000000-mapping.dmp

Download
memory/1716-146-0x0000000000000000-mapping.dmp

Download
memory/69668-144-0x0000000000000000-mapping.dmp

Download
memory/69696-147-0x0000000000000000-mapping.dmp

Download
memory/69796-65-0x0000000000000000-mapping.dmp

Download
memory/69832-67-0x0000000000000000-mapping.dmp

Download
memory/69844-149-0x0000000000000000-mapping.dmp

Download
memory/69936-145-0x0000000000000000-mapping.dmp

Download
memory/69992-68-0x0000000000000000-mapping.dmp

Download
memory/70004-150-0x0000000000000000-mapping.dmp

Download
memory/70024-69-0x0000000000000000-mapping.dmp

Download
memory/70036-151-0x0000000000000000-mapping.dmp

Download
memory/70056-70-0x0000000000000000-mapping.dmp

Download
memory/70068-152-0x0000000000000000-mapping.dmp

Download
memory/70096-71-0x0000000000000000-mapping.dmp

Download
memory/70132-72-0x0000000000000000-mapping.dmp

Download
memory/70164-73-0x0000000000000000-mapping.dmp

Download
memory/70172-153-0x0000000000000000-mapping.dmp

Download
memory/70196-74-0x0000000000000000-mapping.dmp

Download
memory/70216-154-0x0000000000000000-mapping.dmp

Download
memory/70228-75-0x0000000000000000-mapping.dmp

Download
memory/70244-155-0x0000000000000000-mapping.dmp

Download
memory/70260-76-0x0000000000000000-mapping.dmp

Download
memory/70276-156-0x0000000000000000-mapping.dmp

Download
memory/70292-77-0x0000000000000000-mapping.dmp

Download
memory/70308-157-0x0000000000000000-mapping.dmp

Download
memory/70324-78-0x0000000000000000-mapping.dmp

Download
memory/70340-158-0x0000000000000000-mapping.dmp

Download
memory/70356-79-0x0000000000000000-mapping.dmp

Download
memory/70388-80-0x0000000000000000-mapping.dmp

Download